CVE-2018-15798: Pivotal Concourse allows malicious redirect urls on login
Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A remote unauthenticated attacker could convince a user to click on a link using the oAuth redirect link with an untrusted website and gain access to that user's access token in Concourse.
Severity is high unless otherwise noted.
- Concourse all versions 4.x prior to 4.2.2
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Concourse: 4.2.2
This vulnerability was responsibly reported by Atanas Pashov of SAP.
2018-12-13: Initial vulnerability report published
2018-12-17: Added credit